So, when you are looking at hiring or being hired in you will always hear about certifications, but you want a good one. Great, let’s talk about some!

Which next? Well, let’s hit one of the odd-ball specialty certifications by Microsoft. The test is 070-0158. Sounds really engaging doesn’t it? Microsoft test 070-0158 or even 70-158 as some people will write it. OK, no, the test number just sounds lame… but what does it get you? How about adding “Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration” to you resume? Um, er, what does that mean? I mean seriously, does anyone care or understand? And is it a title or what?

So first let’s talk about what an MCTS is. Microsoft Certified Technology Specialist (MCTS) certifications are designed to validate candidates’ skills at using, planning, deploying and troubleshooting a specific Microsoft technology. They are also sometimes also used as stepping blocks for the Microsoft Certified IT Professional (MCITP) or Microsoft Certified Professional Developer (MCPD) certification. With an MCITP or MCTS, it is generally considered to add the MCTS to the end of your name when emailing or signing things electronically. Such as Joe Black, MCTS. Often you can list specifics in email signatures afterwards… but in general I don’t.

Now let’s get back to the certification at hand: “Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration”. What is this one? This is a certification for the product listed, Forefront Identity Manager 2010. And as such this is an exotic one for people who deal with making Active Directory talk to other LDAP based services utilizing FIM. So the next question is: who is this for? What does Microsoft say?

“Typical candidates for this exam are Identity Specialists who deploy and manage Forefront Identity Manager (FIM) 2010 in an enterprise environment consisting of more than 5,000 identities with a dynamic lifecycle. These organizations may be geographically and/or organizationally dispersed and may require compliance with extensive regulations. The environment may include multiple applications that consume identities and/or multiple disconnected data sources.”

Don’t you love how Microsoft even has to put in parentheses what the acronyms’ are? However, more to the point… it really does say what this cert says you can do. What it doesn’t say is how good you have to be to pass the cert and if the cert is worth anything. In general with an MCTS the level of proficiency is based in more than a year of actual use of the product with heavy troubleshooting skills. So what this means is that you really know how to implement, troubleshoot… and even explain a product. Oddly this last one is almost as important as implementation skills on this one. FIM is just not a heavily used product. It is however an extremely valuable product because it makes other applications and even environments communicate by translating in a metaverse (yep, real term).

So how does this stand up to other certifications? An MCTS has a low time in use requirement; however it also is very specialized. What makes this one different is that it is on an obscure technology that is normally used by people with over ten years in the industry. So while a low level certification, this actually signifies something that normally sits with and above even an Enterprise Administrator’s MCITP. So on a ten scale, with MCM, MCSM, CCIE and JNCIE at the top as a ten, and Microsoft Technology Associate (MTA), Configuration and CCENT at the low end as a 1, how would I rate it? Alone I would rate it a 5. It connected to MCITP: Enterprise Administrator, I rate it a 7. It is a major name and brings out a lot of conversation. It is also shows significant skills and determination, as well as longevity in the field.

One caveat as always: remember when discussing certs. Certs do not equal experience. Certs validate experience.

What do you think? And what certification would you like me to take a look at and grade next week?

Have you ever backed up your Domain Name System (DNS) records independent of the traditional system state backup of your domain controllers? No? So, if you lose DNS you are doing a full Active Directory restore? Yep. Oh, OK.

Um, why? Isn’t that kind of extreme? Let’s make this a little simpler, OK?

As Active Directory is one hundred percent dependent on the Domain Name System (DNS), it is critical that you back up your DNS servers on a regular basis. The most common method is to do a system state backup. Although this technique does work, it is all-or-nothing. This means that if you are having DNS problems, what do you do? You restore the system state which includes the Registry, Active Directory database, etc. Additionally, there is not a file to review in case one IP and name combination is lost. It is simply all or nothing.

How about a better way for those times when you don’t want to blow up the current domain?

Backing up an Active Directory integrated zone is just a little more complicated that the tradition DNS backup. It is simple. Do it. It is worth it. Really.

How? These simple steps. Export the zone and backup the export file. Yep, that is it. Use the command following to do it.

dnscmd /ZoneExport FQDN_of_zonename backup\Zone_export_file

dnscmd /ZoneExport AD.lab backup\AD.lab.dns.bak

dnscmd WS12-DC01 /ZoneExport AD.lab backup\AD.lab.dns.bak

The first line is the syntax. The next command will export the zone for AD.lab on the local server to a file called AD.lab.dns.bak in the %SystemRoot%\System32\Dns\Backup folder. The second command exports the same zone from the DNS server WS12-DC01 to a file named AD.lab.dns.bak in the %SystemRoot%\System32\Dns\Backup folder on the server named WS12-DC01. Be aware though that the backup command will not over-write any previous backup of the same name.

Oh, you want to know how to restore? Well, it will restore you whole DNS for that zone so be careful. Traditionally you do this after the zone is gone. Check the tech tip for the steps for a basic restore.

Well, first off validate that you have a current system state backup and a backup of the zone. The system state is in case of corruption. Remember, your backup procedures should include testing any processes in the lab before doing so in live production. Now delete the current corrupt zone. Now restore the zone.

The first command loads the zone as a primary zone. The second converts the zone to Active Directory integrated DNS. The last enables secure updates. Oh, and you are now done. If you had specialized security… time to rebuild that as well. if you need it.

Hard? Nope. How about you backup the DNS in your domain now? It just takes a minute to export it. So let’s export and backup your DNS. One more step to towards working towards the new modeus operendi: just say no to “blowing up” your Active Directory.

Do you have a lab? Specifically, do you have an Active Directory lab? Do you need a lab? Hint: the answer is yes. The modus operandi for the industry has been simple: salvage your old equipment and build an ad hoc lab. Times have changed and that now begs the question: is that really good enough? Nope. It wasn’t back in the day, and it certainly isn’t today.

So let’s get down to business and look at what you need for your lab. One thing any IT professional will agree is that building a lab is an essential part of preparing for a variety of tasks such as an Active Directory transition, an Active Directory migration, Novell Migration, schema changes and the list goes on. Anything that changes your current settings in Active Directory beyond a single account should always hit the lab first. The lab is there so you can do a dry run, practice and validate any process. It is a lab environment. If it blows up, you get the experience gained from rebuilding it.

So a lab should closely mirror the production environment (in every way that is feasible). While it is not feasible to completely mirror production’s many application servers and enterprise computing platforms, it should be as close as possible and account for the business critical applications, at least include a small sampling of those servers. It should also have workstations if you use workstations.

Without a close replica of the production environment organizations cannot successfully plan for potential show stopping events from infrastructure changes. Think of the results from a schema extension preventing a domain upgrade (I have seen these). Think of a time configuration error that is allowing domain controllers to lose synchronization (these are common). Think of a large PowerShell script import of thousands of groups being imported to the wrong OU (stopped this before).

Any process that has an impact on your current Active Directory environment should be tested.

An implementation of a new lab cannot account for the “history” or breadth of the production environment. This includes some of the following examples: schema extensions over time, upgrades of operating systems, administrative changes in functionality, and current policies in effect, and anything you don’t see in a DCDIAG. Everyone agrees that implementing a lab environment using the concept of “mirroring”, or as close to a mirrored environment as possible is crucial to a successful implementation of an upgraded or migrated environment.

There are many strategies for implementing a lab environment but they all have their own caveats to plan for in order to avoid disaster. The best mirror methodology is to introduce a new domain controller in a production domain, replicate all data, remove the domain controller and place it in the lab environment, and then perform metadata cleanup on both the production and lab environments. This gets you a copy of the real environment. In the production environment the metadata cleanup would remove existence the newly promoted DC to avoid replication failures. In the lab environment the metadata cleanup would involve removing all existence of the missing domain controller in the forest. The cleanup consist of seizing FSMO roles, NTDSUTIL being used to clean up the metadata and then going through and manually pruning each side from the other.

There is a major risk for this best of breed lab. The lab environment must be guaranteed to never touch the production environment. If this were to occur, two separate domain controllers would attempt to assume the FSMO roles and would cause all sorts of issues… think best possibility would be USN rollback and dire replication issues. As such, while a lab environment is essential, there are many preventative tasks that must be performed to ensure the lab environment never is in contact with the production environment. This should be locked down by all available security measures. A very critical security concern is if the lab environment is a virtualized environment. Domain controllers are only as secure as the server in which they run on.

I always recommend using a dedicated Hyper-V V3, VMware vCenter Lab Manager or VMware ESXi environment. Please note that this security is essential, as if a VHD or VMDK files end up in production they can potentially cause a true full scale outages and additionally security risks.

Scared yet? Should be. Well this best of breed, is the best of breed but it needs to be done methodically.

Going to give it a try? Good!

Now everyone, let’s work together to make the new IT modeus operendi: just say no to “blowing up” your Active Directory.

When you start building domain controllers, one of the simple ideas people bring up is that you always leave the Active Directory data (NTDS database, Sysvol and logs; also known as directory data) where the default in the windows directory. The idea is they are tucked away and difficult to stumble across accidentally and start playing around with them. Others simply say: it is where they belong.

Well, it is probably obvious by now, that I disagree with the popular sentiment.

One of the problems is that most people confuse the Active Directory Domain Services role (making the server a Domain Controller) with the server. The reality is that the Active Directory Domain Services role is simply that: a role. It is a role that when doing work in your lab, or troubleshooting and restoring your enterprise systems you need to be able to easily backup or even copy everything related to Active Directory. Why hide it in the Windows directory with thousands of other files and folders?

When you isolate these folders and files into a single root level directory (I like C:\ADDS) you gain one directory to manage. So it is one directory to manage. One directory to isolate from antivirus; yes, you have to avoid the NTDS Database, Sysvol and Logs from anti-virus scanning (if you even put anti-virus on your domain controllers… another topic to discuss at a later date). It also allows you to easily copy everything to do with Active Directory with the right click of a mouse or a simple backup command (to get everything). This is awesome when troubleshooting things like Journal Wrap or doing restoration of login scripts or even Active Directory itself. It is a life saver for a quick directory restore operation.

The idea here is to make your management of Active Directory simpler. Now comes some neat things you can do if you have additional physical volumes to move these files to.

In a large environment, placing the directory data (Sysvol, NTDS, Logs) on its own NTFS partition reduces disk I/O. This can reduce some chances of error, such as FRS just not keeping up with changes. Additionally, reducing disk I/O allows the Active Directory Domain Services server more efficiently as well. This can be vital for an enterprise PDC Emulator. More efficient, better I/O adds to the number of client requests that can be processed. From a performance point of view you could use three separate disk arrays. One disk array for your boot partition, one disk array for your Active Directory database and the Shared System Volume (SYSVOL) folder and one disk array for your Active Directory log files.

However remember, Active Directory is based on a database. As such, if you want the absolute best performance possible… separate all three parts of the directory data onto three separate drives. Granted, this is only done when an enterprise needs extreme responsiveness. However, this starts to get to be a management headache, as you now have to backup three separate drives. Lets just keep it simple if we can, ok?

What are the negatives? If this is going to be a Domain Controller that is not going to be managed by trained staff… don’t do this. Some administrators won’t realize that they should look for the directory data. However, this is a situation where training can fix this. Additionally, sometimes you may want to use simple step by steps found online… and will need the administrator to adjust the commands on the fly.

Is it doable with the negatives? Yes. Do I consider the advantages more valuable than the risks from the negatives? Absolutely. It keeps things simple for backups, restores and troubleshooting. You can isolate your directory data and make your life simpler.

Have you ever just been starring at your computer saying, “Come on already!” Or, “if you don’t hurry up, I am getting out a soldering iron and converting you into a toaster!” No? Are you lying to me? Am I just impatient? Well, if I am, I am not alone. However, experience has been kind enough (read: I am still alive) to teach me that sometimes, it just takes time.

In general, patience is hard learned in computer work. I remember coming up with the Starbucks rule. When creating VPN changes, make your changes and then go to Starbucks; when you get back it will be working. When it comes to Active Directory, it is actually worse. Patience isn’t needed just to get the things working: patience is required so that Active Directory isn’t damaged by troubleshooting.

You see, when doing Active Directory work, you sometimes need to slow down. Why? It all takes time. KCC, time synchronization and replication over however many links data has to go across. This is just how Active Directory works since it is a multi-master system. And before anyone gets any ideas… yes, we all want it to be a multi-master system and accept this as normal.

As a general rule, when doing a major Active Directory project, work at the pace of the slowest task. Let the changes matriculate. They need to. In fact, over time it appears that once everything is done and complete… give it a good twenty four hours and then double check it.

Twenty four hours? Am I insane? Nope.

Take the time and validate that the changes matriculated. Why? You see one of the biggest pains in Active Directory is when you don’t realize your environment has some KCC, replication or time errors… and the changes you think went through… didn’t. This does happen. So don’t rush it.

When you rush it, you make mistakes. Like not backing up every domain controller when doing a domain transitions or not documenting the changes you are making in a migration. Take the time that the job actually requires.

Oh, and since you’re now taking the time to do it right, how about we all try and remember to finish the job. Active Directory projects are left incomplete with epic proportions. Take the time, and finish it. Really finish it. Yes, even fill out sites and services. It is all important and makes it easier for those who come after you.

When working with Active Directory just take it methodically. Then make sure the replication is done. Rush and you may make a mistake and end up rebuilding your forest.

On Friday the seventh of September Microsoft sent out an email that is bound to drive many of the Windows 7 certified IT folk to drink. And Microsoft should have known better. Hopefully you have read my valuation of the MCITP Windows 7, Enterprise Desktop Administrator… it will help explain what the confusion really is about. But wait, there is more! Well here is an excerpt from the email they sent out.

“Soon you will receive an email to congratulate you on your Microsoft Certified Solutions Associate (MCSA): Windows 7 certification you have earned. You may be wondering what the MCSA: Windows 7 certification is and how did you earn it.”

“In April 2012, Microsoft announced new certifications that have been re-invented for the cloud, covering on-premises skills as well as in the cloud. As part of our efforts to grandfather our existing customers into the new program, we are awarding those individuals a new certification under the new certification program to jump start them towards an expert level certification in the program. For individuals that have already earned the Microsoft Certified IT Professional (MCITP) Enterprise Desktop Administrator or MCITP: Enterprise Desktop Support Technician, they are being granted the MCSA: Windows 7 certification.”

So, there are two Windows 7 MCITPs that are completely different certifications… wouldn’t you expect Microsoft to know better? Guess, not, they are adding a third… that is meaningless. So how do you tell which Windows 7 certified staff knows client management and which are highly trained help desk technicians? Wait, you can’t? Nope… not with that MCSA. So what do they mean? Great question! Microsoft, what do they mean?

You know there is one other weirdness here. MCSA was used for a decade plus to define the Microsoft Certified Systems Administrator… a server certification (actually you can still get one). So, we have a “free certification” of the new models.

So, when you are looking at hiring or being hired in IT (or maybe more aptly named in the old days, managing information systems staff) you will always hear about certifications. You went and decided to get one… and supposedly this blog is going to help you find some value in them, right? Right. Here goes the second article in the series. It is starting with one of the least coveted, most often required and completely misunderstood certifications.

So what does the MCITP Windows 7, Enterprise Desktop Administrator certification mean? It means you can support Windows 7, right? Wrong. Would you believe that the actual MCITP test doesn’t even include supporting Windows 7 systems or users in the description of skill measured? Not even one percent.

Here is the breakdown of what skills are measured with the final test for this. Planning and Managing a Client Life Cycle Strategy (16%); if this sounds more like planning the management of a bunch of workstations, then you are right. Designing a Standard Image (17%); hey wait a minute, this is a major task that you do when deploying operating systems isn’t it? Yes it is. Designing Client Configurations (17%); this sounds like more deployment skills… maybe even large scale deployment skills. Designing a Windows 7 Client Deployment (15%); ok, this is straight up deployment… and it actually touches on MDT and SCCM (System Center Configuration Manager). Designing Application Packages for Deployment (17%); packaging, are you kidding, this is a major task that is often outsourced because people do not know how to do it… but wait there is more. This section also includes deployment strategies and skills including virtualized, Remote Desktop Services, Group Policy, or software distribution (read SCCM). Identifying and Resolving Deployment and Client Configuration Issues (19%); this should read: Windows 7 troubleshooting from the domain, forest, network, and Group Policy Object or deployment level.

So if you couldn’t find the support Windows 7 angle, you are looking at the wrong part here. See the support skills are a building block to get to the MCITP. They are tested in the MCTS: Windows 7, Configuring certification, which someone with this cert has to have already earned. So getting to the MCITP includes support elements, but it really is more of a managing workstations certification than a support certification. This certification validates your ability to deploy operating systems, desktop applications and to manage the Windows 7 client life cycle.

There actually is a Windows 7 support certification at the MCITP level. MCITP: Windows 7, Enterprise Desktop Support Technician is the certification for support.

So Microsoft says the audience is: “Candidates for this exam should have a minimum of three years of experience installing, configuring, and administering clients in a Windows networked environment and also have experience deploying operating systems and applications. Candidates should be familiar with the client administration capabilities of Windows Server and with management tools such as the System Center suite of products.” So they are expecting three years of high end, highly skilled work that just happens to be directed to workstations.

Now let’s compare this to the candidate audience for the MCITP: Windows 7, Enterprise Desktop Support Technician that everyone seems to be mixing up with this certification. “Candidates for this exam support end users who run Microsoft Windows 7 in a corporate environment. They should have experience using applications that are included with the operating system, such as productivity applications used in a corporate environment and Microsoft Office applications.” Did you notice the lack of a time in the role listed? Yep, it isn’t there. This is a significantly lower valued certification.

For my reviews I will be rating certification on a 1-10 scale. Ten will be the highest, with one the lowest. So on a ten scale, with MCM, CCIE and JNCIE at the top as a ten, and Microsoft Technology Associate (MTA), A+, CCENT at the low end as a 1. Well, I hope you weren’t waiting for me to rate those six certs… they just were rated as my baseline.

How would I rate these? First off let’s rate the certification everyone mistakenly thinks this cert is. I would rate MCITP: Windows 7, Enterprise Desktop Support Technician at about a 3 on my scale. The certification does not have a long time in the role required to master the skills and is mainly aimed at technicians able to resolve operating system issues by telephone, email, connecting to an end user’s system remotely, or by visiting an end user’s desktop.

MCITP Windows 7, Enterprise Desktop Administrator is a weird one. The perceived value is low, possibly a 3, as everyone mistakes it for the other Windows 7 MCITP. However, the real value of the skills this represents is significantly higher. I would rate this certification a 5. Additionally, if this certification is combined with a MC TS: Windows 7 and Office 2010, Deploying; that is a major boost. That combination would rate as a six… and nearly any consulting firm that does Windows 7 (or 8) deployments is, or should be, looking for just that combination.

What do you think? And what certification would you like me to take a look at and grade next week?

So, when you are looking at hiring or being hired in IT (or maybe more aptly named in the old days, managing information systems staff) you will always hear about certifications. Great, let’s get some! So, you have a cert now. What does it matter? What do they really mean? As the first in a series of articles on certification on this site, I am going to take a look at a variety of certifications and help you understand what they mean and help pin a little bit of valuation on them. Not in cash, but in skill level.

Today we live in an age where everything we do is cataloged, blogged about, qualified and quantified. But in the end, all people can say is where you worked and what people say you have done. Think of certifications as putting up headers or tabs in those catalogs of you. Headers saying: yes, I can do that. In the end, one caveat: remember when discussing certs, certs do not equal experience; certs validate experience.

So how does your certification stand up to other certifications? To look at that we look at a variety of things. One is how much time is expected of the certified person to work in the technology before taking their certification. An additional view is how specialized is it? Sometimes what makes a certification different is that it is on an obscure technology. In these cases even a low ranked certification, such as an MCTS could be valuable, for its rarity. An example of this is the “Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration”. Ninety nine out a hundred people have never even heard of the technology, but if you need someone to manage or implement it: it can take years of effort just to find someone.

Here is another piece to remember, when prepping for this certification can you really just study a book and pass the test? One example is the A+. Everything I have heard is a yes. Granted, that is heard, I have never taken it. On the other hand, “Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration”? Good luck. I don’t think 99 out of 100 people could pull it off.

And lastly, there is another component that that should always be looked at. That is a simple question of: does this certification enhance or get enhanced by another certification? This has to be taken into account when doing a valuation of certifications.

For my reviews I will be rating certification on a 1-10 scale. Ten will be the highest, with one the lowest. So on a ten scale, with MCM, CCIE and JNCIE at the top as a ten, and Microsoft Technology Associate (MTA), A+, CCENT at the low end as a 1. Well, I hope you weren’t waiting for me to rate those six certs… they just were rated as my baseline.

In this series I will review many certifications. These certifications will all be IT related in some way or another, and I will try and qualify these so you can think about what your headers will be. One thing though, always keep that one caveat in mind: remember when discussing certs, certs do not equal experience; certs validate experience.

What do you think? And what certification would you like me to take a look at and grade next week?

Sometimes you just want to see how something is done. Well today, we are going to look at how to build a basic forest. This is for the first domain controller in your lab. Yes, I said lab. You want a lab. Why do you want a lab? This lets us see if anything is going to break? Or as close as we can ever get.

Now everyone, let’s work together to make the new IT modeus operendi: just say no to “blowing up” your Active Directory.

So, in sixty seven simple steps… let’s build the lab so we can make that new modeus operendi. Just follow the recorded steps.

The release of WS12 is going to have a major impact on all of us who implement and manage Windows environments. There are major changes and we are all going to learn them or go the way of the dinosaur. As someone who grew up in CP/M, trust me: it can be done. So what are the big standouts on changes that I am going to have to worry about?

First off we have the interface, and for the first time since Windows NT 4, we have a major interface overhaul. And I mean a major overhaul. To me it seems like an amalgamation of Windows 2000, 3.0 (yes, 3.0) and Windows Phone 7. Does it work? Yes. Do I consider the look somewhat hideous? Yes. Could I get used to it? You bet.

PowerShell V3 for the win. When you add domain functionality you get a link that lets you output the settings. These are actually an output of a PowerShell script. PowerShell is now everywhere… as it should be. The days of DOS, PowerShell V1, PowerShell V2, Quest PowerShell and VBS being mixed everywhere is done. When servers are 2012, PowerShell V3 rules the roost and renders the others inconsequential. Now, if you are a VBS guy, well, as a CLI guy, I feel for you… but get over it.

While I am going to skip talking about all the incredible new features of 2012, let me just set one expectation: Active Directory Domain Serveries 2012 is a massive upgrade. Not a minor update like 2008 R2, where you received great functionality with hideous management so people just ignored it. No, you gain everything. Features, functionality and most of all usability; Server 2012 has it all in the new version of Active Directory. Think of all the pain we have all gone through trying to convert from Quest PowerShell to PowerShell V2 AD Cmdlts? Well everything you do now is shown with its PowerShell syntax.

I really want to go over the new functionality like the new virtualization safe domain controller cloning or the death of the USN rollback… but let’s not get ahead of ourselves. Download the OS and install it. It took me 30 minutes to download, install and configure Active Directory. How long do you want to wait to lab yours?